Skip to main content

Continuous and Visible Security Testing with BDD-Security

Stephen de Vries (ContinuumSecurity)
Location: 211 Level: Intermediate
Average rating: ****.
(4.17, 18 ratings)
Slides:   1-PPTX 

We developed the BDD-Security testing framework to solve a number of problems with security testing web applications and infrastructure:

  • The security requirements of a project are often poorly defined, if at all
  • Security requirements are often expressed on dead documents that don’t fit into the development/operations workflow
  • Security testing relies on expensive, manual techniques that don’t scale to DevOps speed

Many security requirements and processes are shared by different web environments, so the BDD-Security framework provides a set of pre-written security stories that require only minor modification to run against different web applications.

In this talk we’ll demonstrate how to:

  • Configure the framework to test a web application
  • Walk through the pre-written security stories that test Authentication and Session Management
  • Use stories to wrap security processes like automated testing with the OWASP ZAP tool and Nessus
  • Use stories to ignore false positive results
  • Perform automated access control tests between different users
  • Configure a Jenkins job to run tests automatically on new code commit
Photo of Stephen de Vries

Stephen de Vries


Stephen founded ContinuumSecurity and the open source BDD-Security project with the goals of integrating security into software development. He is a 13 year application security veteran having worked as a consultant at KPMG, Internet Security Systems and Corsaire.

He’s currently focussed on building tools to support security in the software development lifecycle and provides security training for developers and QA staff.

Stephen has presented at popular security conferences including Blackhat USA/Europe, Hack in the Box, OWASP and at developer conferences such as Devoxx.